PCMech Forums - View Single Post

Lobos · 05-28-2004, 11:45 PM

ok Took me longer then a sec

First Create a folder just for hijack this reason it makes backups
once it runs smoothly you can delete the backups

you may want to copy this to notepad
so when you go into safe mode

HijackThis is not able to remove this line so do this

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Download Registrar Lite

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.
Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove this one -> _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
Notice the underscore at the end, all the others with that need to go as well.

Right click on it, and select delete.
If you get a confirmation question, respond OK then close out the program

download this just in case you have webhancer
http://www.cexx.org/lspfix.htm
if you lose internet connection then ust this
next
--------------------------------------------------------------------------

uninstall these
Gozilla
webhancer

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-EEFD-ED6DB186CE4D} - C:\WINDOWS\DOWNLO~1\404SEA~1.DLL
O2 - BHO: (no name) - {FA44D979-9A32-431A-BDB7-8C6939433DC2} - C:\WINDOWS\hqvplt.dll
O2 - BHO: (no name) - {FABB0E5E-882F-4A14-973E-2BB7C3EE79B5} - C:\WINDOWS\zmlf.dll
O3 - Toolbar: (no name) - {D0762A88-70D6-481C-BCA0-EEFDE125F519} - (no file)

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [HRJWEOZ] C:\WINDOWS\HRJWEOZ.exe
O4 - HKLM\..\Run: [VCFMTZGMT] C:\WINDOWS\VCFMTZGMT.exe
O4 - HKLM\..\Run: [BOVFPVC] C:\WINDOWS\BOVFPVC.exe
O4 - HKLM\..\Run: [FCIMSZGMT] C:\WINDOWS\FCIMSZGMT.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tbymas] C:\WINDOWS\mxshx.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [IMArchive_Start] C:\Program Files\IMArchive\IMArchive.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlm...DC_1_0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab

-----------------------------------------------------------------------------------------------------------------------------------
Next

Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click"Apply to all folders"
Click "Apply" then "OK

reboot into safe mode

How to boot into safe mode

delete what is in Bold

C:\Program Files\WebHancer folder

these files

C:\WINDOWS\VCFMTZGMT.exe
C:\WINDOWS\BOVFPVC.exe
C:\WINDOWS\FCIMSZGMT.exe
C:\WINDOWS\xshx.exe
C:\WINDOWS\HRJWEOZ.exe

come back and post a fresh log

05-28-2004, 11:45 PM	#11
Lobos Member (10 bit) Join Date: Mar 2004 Location: California Posts: 936	ok Took me longer then a sec First Create a folder just for hijack this reason it makes backups once it runs smoothly you can delete the backups you may want to copy this to notepad so when you go into safe mode HijackThis is not able to remove this line so do this R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Download Registrar Lite Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor. Copy and paste the follow text into the address bar, then hit 'Go': HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks In the pane on the right are the values associated with that key. We want to remove this one -> _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} Notice the underscore at the end, all the others with that need to go as well. Right click on it, and select delete. If you get a confirmation question, respond OK then close out the program download this just in case you have webhancer http://www.cexx.org/lspfix.htm if you lose internet connection then ust this next -------------------------------------------------------------------------- uninstall these Gozilla webhancer Run hijack this put a check next to these close all browsers and hit fix Make sure not to miss one R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-EEFD-ED6DB186CE4D} - C:\WINDOWS\DOWNLO~1\404SEA~1.DLL O2 - BHO: (no name) - {FA44D979-9A32-431A-BDB7-8C6939433DC2} - C:\WINDOWS\hqvplt.dll O2 - BHO: (no name) - {FABB0E5E-882F-4A14-973E-2BB7C3EE79B5} - C:\WINDOWS\zmlf.dll O3 - Toolbar: (no name) - {D0762A88-70D6-481C-BCA0-EEFDE125F519} - (no file) O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [HRJWEOZ] C:\WINDOWS\HRJWEOZ.exe O4 - HKLM\..\Run: [VCFMTZGMT] C:\WINDOWS\VCFMTZGMT.exe O4 - HKLM\..\Run: [BOVFPVC] C:\WINDOWS\BOVFPVC.exe O4 - HKLM\..\Run: [FCIMSZGMT] C:\WINDOWS\FCIMSZGMT.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [tbymas] C:\WINDOWS\mxshx.exe O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKCU\..\Run: [IMArchive_Start] C:\Program Files\IMArchive\IMArchive.exe O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlm...DC_1_0_0_41.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab ----------------------------------------------------------------------------------------------------------------------------------- Next Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click"Apply to all folders" Click "Apply" then "OK reboot into safe mode How to boot into safe mode delete what is in Bold C:\Program Files\WebHancer folder these files C:\WINDOWS\VCFMTZGMT.exe C:\WINDOWS\BOVFPVC.exe C:\WINDOWS\FCIMSZGMT.exe C:\WINDOWS\xshx.exe C:\WINDOWS\HRJWEOZ.exe come back and post a fresh log Last edited by Lobos; 05-28-2004 at 11:49 PM.